Investigate why new DAST aggregated vulnerabilities are dismissed
Problem to solve
When the DAST feature aggregate vulnerabilities is turned on for the first time, a new vulnerability finding will be detected where previously there were many.
There is a possibility that the new vulnerability picks up the status/issue/references from the previous vulnerability findings of the same type. An example of this is shown in the video https://youtu.be/6uCpqagfv68.
User experience goal
Aggregated vulnerabilities are new vulnerabilities, they should not be automatically dismissed or link to issues from other vulnerabilities.
Worth investigation
- DAST aggregated vulnerabilities using the host and port of the target as the vulnerability finding location. Could this be causing any issues?
- Is there any behaviour in Rails that aims to copy status/issues etc from other vulnerabilities to new vulnerabilities?
Further details
DAST JSON files outputted from the example in the YouTube video are included below, in case others would like to test it.
You can test it by:
- Creating a new project with both of these files in the repository.
- Create a
gitlab-ci.ymlfile with the following contents:stages: - dast dast: stage: dast image: alpine:3.10.3 script: - cp non-aggregated-vulns.json gl-dast-report.json artifacts: reports: dast: gl-dast-report.json - Run a pipeline on master so that vulnerabilities are created in the
Vulnerability Reportpage - Create a new branch, changing
cp non-aggregated-vulns.json gl-dast-report.jsontocp aggregated-vulns.json gl-dast-report.json. Commit and push. - Create a Merge Request for the new branch. Wait for the pipeline to run, then inspect the Security widget.
- Merge the MR and wait for the pipeline to run to see the effect on Vulnerabilities in the Vulnerability Report.
| Non Aggregated Report | Aggregated Report |
|---|---|
| non-aggregated-vulns.json | aggregated-vulns.json |
What does success look like, and how can we measure that?
New DAST aggregated vulnerabilities are not dismissed by default.
What is the type of buyer?
Edited by Cameron Swords